XF 2.3 Make staffbar (but not staff links) visible to all users and guests

Mr Lucky · Sep 24, 2024

I want to use the staffbar to add some extra links for anyone (possible including p-nav-opposite) , but obviously I should retain the admin and moderator links in it with only permission for admins and mods.

I have done this by removing the following from PAGE_CONTAINER (shown in red) .

I'm just wondering if somebody could confirm please: Is this the best way? is it secure in regard to the staff only links?

Rich (BB code):

<div class="p-pageWrapper" id="top">

  
<xf:if contentcheck="true">
        <div class="p-staffBar">
            <div class="p-staffBar-inner hScroller" data-xf-init="h-scroller">
                <div class="hScroller-scroll">
                    <xf:contentcheck>
                        <xf:if is="$xf.visitor.is_moderator && $xf.session.unapprovedCounts.total">
                            <a href="{{ link('approval-queue') }}" class="p-staffBar-link badgeContainer badgeContainer--highlighted" data-badge="{$xf.session.unapprovedCounts.total|number}">
                                {{ phrase('approval_queue') }}
                            </a>
                        </xf:if>

                        <xf:if is="$xf.visitor.is_moderator && !$xf.options.reportIntoForumId && $xf.session.reportCounts.total">
                            <a href="{{ link('reports') }}"
                                class="p-staffBar-link badgeContainer badgeContainer--visible {{ ($xf.session.reportCounts.total && ($xf.session.reportCounts.lastBuilt > $xf.session.reportLastRead) OR $xf.session.reportCounts.assigned) ? ' badgeContainer--highlighted' : '' }}"
                                data-badge="{{ $xf.session.reportCounts.assigned ? $xf.session.reportCounts.assigned|number . ' / ' . $xf.session.reportCounts.total|number : $xf.session.reportCounts.total|number }}"
                                title="{{ $xf.session.reportCounts.lastBuilt ? phrase('last_report_update:')|for_attr . ' ' . date_time($xf.session.reportCounts.lastBuilt) : '' }}">
                                {{ phrase('reports') }}
                            </a>
                        </xf:if>

                        <xf:if contentcheck="true">
                            <a class="p-staffBar-link menuTrigger" data-xf-click="menu" data-xf-key="alt+m" role="button" tabindex="0" aria-expanded="false" aria-haspopup="true">{{ phrase('moderator') }}</a>
                            <div class="menu" data-menu="menu" aria-hidden="true">
                                <div class="menu-content">
                                    <h4 class="menu-header">{{ phrase('moderator_tools') }}</h4>
                                    <xf:contentcheck>
                                        <!--[XF:mod_tools_menu:top]-->
                                        <xf:if is="$xf.visitor.is_moderator">
                                            <a href="{{ link('approval-queue') }}" class="menu-linkRow">{{ phrase('approval_queue') }}</a>
                                        </xf:if>
                                        <xf:if is="$xf.visitor.is_moderator && !$xf.options.reportIntoForumId">
                                            <a href="{{ link('reports') }}" class="menu-linkRow" title="{{ $xf.session.reportCounts.lastBuilt ? phrase('last_report_update:')|for_attr . ' ' . date_time($xf.session.reportCounts.lastBuilt) : '' }}">{{ phrase('reports') }}</a>
                                        </xf:if>
                                        <!--[XF:mod_tools_menu:bottom]-->
                                    </xf:contentcheck>
                                </div>
                            </div>
                        </xf:if>

                        <xf:if is="$xf.visitor.is_admin">
                            <a href="{{ base_url('admin.php') }}" class="p-staffBar-link" target="_blank">{{ phrase('admin') }}</a>
                        </xf:if>
                    </xf:contentcheck>
                </div>
            </div>
        </div>
    </xf:if>

Mr Lucky · Sep 26, 2024

Mr Lucky said:
is it secure in regard to the staff only links?

I just realised this is probably a very stupid question - even if the link was exposed it would have no effect on admin security. Plus any hackers that want to try and get into the admin area would do it with or without the admin link as they would know the URL /admin.php

frm · Sep 26, 2024

Mr Lucky said:
I just realised this is probably a very stupid question - even if the link was exposed it would have no effect on admin security. Plus any hackers that want to try and get into the admin area would do it with or without the admin link as they would know the URL /admin.php

While they would not have access to it if they knew the direct link (or could even see it), no, it will not show those anyway, which would be a UI enhancement for those logged out or without the correct permissions.

Here's the staff bar logged in:

Here's the staff bar logged out:

And here's the code that adds the Google, Wikipedia, and Xenforo links as a reference to work with:

HTML:

    <div class="p-staffBar">
        <div class="p-staffBar-inner hScroller" data-xf-init="h-scroller">
            <div class="hScroller-scroll">
                <xf:if is="$xf.visitor.is_moderator && $xf.session.unapprovedCounts.total">
                    <a href="{{ link('approval-queue') }}" class="p-staffBar-link badgeContainer badgeContainer--highlighted" data-badge="{$xf.session.unapprovedCounts.total|number}">
                        {{ phrase('approval_queue') }}
                    </a>
                </xf:if>

                <xf:if is="$xf.visitor.is_moderator && !$xf.options.reportIntoForumId && $xf.session.reportCounts.total">
                    <a href="{{ link('reports') }}"
                        class="p-staffBar-link badgeContainer badgeContainer--visible {{ ($xf.session.reportCounts.total && ($xf.session.reportCounts.lastBuilt > $xf.session.reportLastRead) OR $xf.session.reportCounts.assigned) ? ' badgeContainer--highlighted' : '' }}"
                        data-badge="{{ $xf.session.reportCounts.assigned ? $xf.session.reportCounts.assigned|number . ' / ' . $xf.session.reportCounts.total|number : $xf.session.reportCounts.total|number }}"
                        title="{{ $xf.session.reportCounts.lastBuilt ? phrase('last_report_update:')|for_attr . ' ' . date_time($xf.session.reportCounts.lastBuilt) : '' }}">
                        {{ phrase('reports') }}
                    </a>
                </xf:if>

                <xf:if contentcheck="true">
                    <a class="p-staffBar-link menuTrigger" data-xf-click="menu" data-xf-key="alt+m" role="button" tabindex="0" aria-expanded="false" aria-haspopup="true">{{ phrase('moderator') }}</a>
                    <div class="menu" data-menu="menu" aria-hidden="true">
                        <div class="menu-content">
                            <h4 class="menu-header">{{ phrase('moderator_tools') }}</h4>
                            <xf:contentcheck>
                            <!--[XF:mod_tools_menu:top]-->
                            <xf:if is="$xf.visitor.is_moderator">
                                <a href="{{ link('approval-queue') }}" class="menu-linkRow">{{ phrase('approval_queue') }}</a>
                            </xf:if>
                            <xf:if is="$xf.visitor.is_moderator && !$xf.options.reportIntoForumId">
                                <a href="{{ link('reports') }}" class="menu-linkRow" title="{{ $xf.session.reportCounts.lastBuilt ? phrase('last_report_update:')|for_attr . ' ' . date_time($xf.session.reportCounts.lastBuilt) : '' }}">{{ phrase('reports') }}</a>
                            </xf:if>
                            <!--[XF:mod_tools_menu:bottom]-->
                            </xf:contentcheck>
                        </div>
                    </div>
                </xf:if>

                <xf:if is="$xf.visitor.is_admin">
                    <a href="{{ base_url('admin.php') }}" class="p-staffBar-link" target="_blank">{{ phrase('admin') }}</a>
                </xf:if>
                <a href="https://www.google.com/" class="p-staffBar-link" target="_blank">Google</a>
                <a href="https://www.wikipedia.org/" class="p-staffBar-link" target="_blank">Wikipedia</a>
                <a href="https://www.xenforo.com/community/" class="p-staffBar-link" target="_blank">Xenforo</a>
            </div>
        </div>
    </div>

Might want to remove target="_blank" to those links so they open in the same window if they're to something on your forum, or a rel="noopener nofollow" to external links with _blank.

Mr Lucky · Sep 26, 2024

frm said:
While they would not have access to it if they knew the direct link (or could even see it),

And there's no stopping them from trying, I get so many of these, probably every web site there is gets them:

https://cafesaxophone.com/wp-login.php

XF 2.3 Make staffbar (but not staff links) visible to all users and guests

Mr Lucky

Well-known member

Mr Lucky

Well-known member

frm

Well-known member

Mr Lucky

Well-known member

We value your privacy